Hacker News new | past | comments | ask | show | jobs | submit login
Is web security a hopeless pursuit?
3 points by algoshift on Aug 23, 2011 | hide | past | favorite | 2 comments
Two examples that make me think about this from time to time.

First, a number of sites that require registration email you with confirmation of your registration. They include your user id and password in plain text within the email. Few things are as irritating as this (at least to me). One has to think about how and if they store that email and who within the company has access to it in plain text.

Second: Google Chrome still has no security to prevent access to all of your passwords in plain text! OK, they added a "Show" button. Fantastic.

Those in tech are probably very aware of this. However, "civilians" using this browser at home or at the office might not be aware of the fact that they are opening their lives up for anyone with access to their computer.

These are just two of the many examples one might be able to come-up with.

I am starting to think that I want to see a day when every device has a fingerprint scanner and passwords are history in some form and at some level. Probably not the best solution. Not sure that one exists.




The best solution is education. Its the first thing they teach security auditors. Just about all of the really hard problems in security have solved solutions that really do thwart attackers. The issue is that both organizations and regular users do not know how to actually use them correctly.


You might be assuming tech-capable users. My concern focuses around those like my parents, uncles, aunts, cousins, friends and acquaintances for whom what happens past the keyboard and mouse is as mysterious as can be. Trying to educate users, at some level, is an exercise in futility. It just isn't going to happen.

The situation here is that someone might trust a company like Google (not picking on them...just a good example of the mechanism), download Chrome and start using it for everything. This can happen at home or the office. By doing this they are exposing themselves at the worst possible level to identity theft and worst, without as much as a warning. It's perplexing, to be honest.

My wife would save emails from services that she subscribed to in order to "have the user id and password handy if I forget". Probably half a dozen emails with plain-text passwords on her machine (deleted now after an explanation). There have to be millions of people with similar issues out there.

I'd say that blaming the user isn't quite right in all cases. The sites and companies that expose their most secure information so easily are the real culprits. Google, are you reading this? Fix Chrome please, this security flaw is bad, bad, bad.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: